How to remove Policijos Virus? Uninstall Policijos Virus ransomeware
How to Protect Yourself from CryptoLocker Ransomeware …...CryptoLocker V1. What Can Ransomware Do?...
Transcript of How to Protect Yourself from CryptoLocker Ransomeware …...CryptoLocker V1. What Can Ransomware Do?...
boston.healthprivacyforum.com | #hitprivacy
December 5-7, 2016 Westin Boston Waterfront
How to Protect Yourself from CryptoLocker Ransomeware Variants
Agenda• Highleveltopics
– WhatisRansomware?– Whatisvshadow?– Howdoesana6ackerabusevshadow?
• Visibility– WhathappensonthehostfromthehostpointofviewwithCryptoLocker
• StoppingthisRansomwarethreat– Howtopreventthisinfec@onwith
CryptoLockerV1
WhatCanRansomwareDo?Ransomware can: o Prevent you from accessing Windows. o Encrypt files so you can't use them. o Stop certain apps from running (like your web browser). o Demand that you do something to get access to your PC or files. o Demand you pay money. o Makeyoucompletesurveys.
VShadowisacommand-linetoolthatyoucanusetocreateandmanagevolumeshadowcopies.Alsoknownas● ShadowCopy● VolumeSnapshotService● VolumeShadowCopyService● VSS
Whatisvshadow?
UsingMicrosoKagainstitselfwithVolumeShadows
• Wehaveseenthevolumeshadowserviceusedforanumberofthingsrangingfrommalwaretopenetra@ontes@ngtools.
AbusingShadowsCreate shadow
Op@onUsed
ShadowName
Mounting the shadow with the “mklink” Command
Themalwareisdroppedintoshadow
andmounted
MklinkOp@on
Star@ngtheMalware
MalwareProcessRunning
MalwareApplica@onRunning
HidingthemalwareinMSDC
MalwareRunningAKerShadowisDeletedMalwareProcessRunning
ShadowDeleted
Malwareprocesss@llrunningaKershadowisdeleted
HowdidIknowmysystemwasinfected?
WhathappensonthehostfromthehostpointofviewSearch for all files created in last 30 days Get-ChildItem -Path 'C:\' -Filter "*.exe" -Recurse | Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-1) } | Select-Object Fullname,CreationTime | Out-File -FilePath c:\out.txt
Findingtheapplica@onHashcertUtil -hashfile pathToFileToCheck HashAlgorithm HashAlgorithm choices: MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
Registry Vaues
Registry Key
Whathappensonthehostfromthehostpointofview
Howtodetectthisa6ack• IOC’s
– Hashes– Filenames/paths– RegistryValues– NetworkConnec@ons
Hashes • MD5 (vshadow-7-32.exe) = 3e1360a23ea5f9caf4987ccf35f2fcaf • MD5 (vshadow-7-64.exe) = 576b379a59d094fb7b06c261a96034a6 • MD5 (vshadow-8-32.exe) = d0cd7ad91b2ff568275d497214ff185c • MD5 (vshadow-8-64.exe) = 97fd0f3c05f1707544a9a6a0c896b43e • MD5 (vshadow-8.1-32.exe) = d560c155b68121d98f8370e7deafbc4d • MD5 (vshadow-8.1-64.exe) = c5d2992c8cba0771f71fe4d7625a0b8b • MD5 (vshadow-vista-64.exe) = 53d3e33ad31af6716559f29e889aca49
• Behaviors– LoadingofDependencies– ProcessofExecu@on– Usageofrarelyexecuted
na@vetools
• DetectloadingofDLLandignorewerfault– modload:vss_ps.dllcmdline:”-p”-path:System32\werfault.exe
• Commandlineorbatchfileusagefomklink– cmdline:””C:\Windows\system32\cmd.exe”/cmklink/D”
• Lookforvshadowbeingrun– process_name:vshadow.exeANDcmdline:”-pC:\”
HidingthemalwareinShadow
• path:device/harddiskvolumeshadowcopy*• path:device/harddiskvolume*
FindingVshadowBeingUsed
Howtopreventthisinfec@on
Warning
The file paths that have been used by this infection and its droppers are: ● C:\f1f94d81\f1f94d81.exe ● C:\Users\master\AppData\Roaming\f1f94d81.exe ● C:\Users\master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1f94d81.exe
Blockexecutablein%AppData%Path:%AppData%\*.exeSecurityLevel:Disallowed
Blockexecutablein%LocalAppData%
1. PathifusingWindowsXP:%UserProfile%\LocalSeangs\*.exe
2. PathifusingWindowsVista/7/8:%LocalAppData%\*.exe
3. SecurityLevel:Disallowed4. Descrip@on:Don’tallow
executablestorunfrom%AppData%
Howtopreventthisinfec@on
Howtopreventthisinfec@on
Ryan Nolette Carbon Black
https://github.com/sonofagl1tch https://www.carbonblack.com/author/ryan-nolette/
Flag it, Tag it, and Bag it.